BaseSAFE: Baseband SAnitized Fuzzing Through Emulation
arxiv.orgOh wow! I played around with getting a sim900 firmware running against qemu and open source tower implementations for finding exploits.
But this goes way farther than I had even planned! Connecting it to fuzzing infrastructure is super duper neat. I was just using it as a reproducible target to manually get it into weird states.
Would you be willing to talk about how you went about doing this? I do a good amount of fuzzing and would like to expand into fuzzing infra as well.
this is focused on LTE. for telecommunications the most useful approach I have found to date was to fuzz using ASN.1[1][2]. Everything in telecoms is ASN.1 and vendors usually write their own parser generators.
[1] this is focused on X.509/TLS but the approach is the same https://blog.doyensec.com/2020/05/14/asn1fuzz.html
Yes, LTE makes heavy use of ASN.1, too - the parsers are an interesting target indeed (and some of the fuzzed ones referred to in the paper are such parsers). Although these days, ASN.1 usually get auto-generated so the attack vector is not as large anymore. More interesting can be the places where parsed structs then get processed afterward.
Another big part of that stack is CSN.1. A long long lost spec.
For those unfamiliar with the two most important terms covered in this paper, they are fuzzing [1] & baseband processor [2]: